package com.gitblit.transport.ssh;

import com.gitblit.IStoredSettings;
import com.gitblit.Keys;
import com.gitblit.manager.IAuthenticationManager;
import com.gitblit.models.UserModel;
import java.util.Locale;
import org.apache.sshd.server.auth.gss.GSSAuthenticator;
import org.apache.sshd.server.session.ServerSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/gitblit/transport/ssh/SshKrbAuthenticator.class */
public class SshKrbAuthenticator extends GSSAuthenticator {
    protected final Logger log = LoggerFactory.getLogger(getClass());
    protected final IAuthenticationManager authManager;
    protected final boolean stripDomain;

    public SshKrbAuthenticator(IStoredSettings iStoredSettings, IAuthenticationManager iAuthenticationManager) {
        this.authManager = iAuthenticationManager;
        String string = iStoredSettings.getString(Keys.git.sshKrb5Keytab, "");
        if (!string.isEmpty()) {
            setKeytabFile(string);
        }
        String string2 = iStoredSettings.getString(Keys.git.sshKrb5ServicePrincipalName, "");
        if (!string2.isEmpty()) {
            setServicePrincipalName(string2);
        }
        this.stripDomain = iStoredSettings.getBoolean(Keys.git.sshKrb5StripDomain, false);
    }

    public boolean validateIdentity(ServerSession serverSession, String str) {
        int indexOf;
        this.log.info("identify with kerberos {}", str);
        SshDaemonClient sshDaemonClient = (SshDaemonClient) serverSession.getAttribute(SshDaemonClient.KEY);
        if (sshDaemonClient.getUser() != null) {
            this.log.info("{} has already authenticated!", str);
            return true;
        }
        String lowerCase = str.toLowerCase(Locale.US);
        if (this.stripDomain && (indexOf = lowerCase.indexOf(64)) > 0) {
            lowerCase = lowerCase.substring(0, indexOf);
        }
        UserModel authenticate = this.authManager.authenticate(lowerCase);
        if (authenticate != null) {
            sshDaemonClient.setUser(authenticate);
            return true;
        }
        this.log.warn("could not authenticate {} for SSH", lowerCase);
        return false;
    }
}
